CFA PRIVACY POLICY

What does this policy cover?

This policy describes how The Cyprus Football Association will make use of your data on the CFA’s website and during your interaction with the CFA online and offline, including purchasing tickets for Cypriot games, data we may process in connection with the running of competitions, data we may process if you attend our tours or games, data we may handle if you supply or partner with the CFA or data we use to send you direct marketing.

It also describes your data protection rights, including a right to object to some of the processing which the CFA carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.

A number of activities the CFA carries out are subject to dedicated privacy policies. These will usually be provided on appropriate sites or forms you visit or complete – for example, users of the CFA’s football administration system (Whole Game System) will be given a specific privacy policy when they register or log into that system. A list of the CFA separate privacy policies is set out at the bottom of this policy.

Summary of how we use your data

The CFA uses your personal data to allow you to use the features in CFA content, to administer your online and offline relationships with the CFA, to manage the safety and security of our venues and events, to comply with the CFA’ legal obligations and to provide you with CFA products and services, and other offerings. Some of this information will be provided by you, and others will be generated by CFA or provided by third parties.

Our websites may provide interactive features that engage with social media sites, such as Facebook and Twitter. If you use these features, these sites will send us personal data about you.

We use cookies and other tracking technologies to personalize content and advertising and to make our content function better.

Where we rely on your consent, such as for direct marketing purposes, or to place cookies, you can withdraw this consent at any time.

Our privacy policy sets out more details of this processing, including details of your data protection rights, including your right to object to certain processing.

What information do we collect?

We collect and process personal data about you when you interact with us and our websites, when you purchase goods and services from us, where you visit our venues, when we carry out market research and when you enter our commercial and football competitions. This will typically be provided directly by you, and may include information you provide on registration or in the process of a purchase, such as your name, address, email address, marketing preferences and payment details. The details being provided by you will be made clear in forms you complete or will be provided directly by you in surveys, in purchasing tickets, in entering competitions or in volunteering information in communications or content you provide us.

What information do we generate or receive from third parties?

We may generate or collect information about you ourselves. In an online context, much of this is set out in our Cookies section.

Sometimes, we receive information about you from third parties. For example, if your login to a site or app using Facebook Connect you will be asked if you wish to share information from your Facebook account with us. If you use a "like" or a "share" button for a feature on our sites or apps, then the third party will share information with us. If you participate in activities on non-CFA sites or apps - such as participating in a Facebook application - you may allow us to have access to personal data held by Facebook, or other site or app owners. We sometimes will receive relevant information from third party ticketing sites, such as Ticketmaster, to manage your purchases. We also receive information about individuals that the police or other sports stakeholders recommend or require us to ban from our grounds. We may also obtain information about you from third party demographics providers, which we may use to help us better understand our users and send them appropriate offers and information.

If we provide online services to a child where we need parental consent for this, we may ask for a parent's email address, in order to ask for consent.

Where you are participating in an CFA event or competition, we may receive information about you from another team member or official responsible for entering you or your team into our competition. This will typically involve basic biographical information, including your contact email address.

How do we use this information, and what is the legal basis for this use?

We process this personal data for the following purposes:

To fulfil a contract, or take steps linked to a contract: this is relevant where you make a purchase from us or enter a competition we run. This includes:

verifying your identity;

taking payments;

communicating with you;

administer the competition (where relevant); and

providing customer services and arranging the delivery or other provision of products, prizes or services.

As required by CFA to contact our association and pursue our legitimate interests, in particular:

we will use your information to provide products and services you have requested and to respond to any comments or complaints you may send us;

we monitor use of our venues, websites and online services, and use your information to help us monitor, improve and protect our venues, products, content, services and websites, both online and offline;

we use information you provide to personalize our website, products or services for you;

if you provide a credit or debit card as payment, we also use third parties to check the validity of the sort code, account number and card number you submit in order to prevent fraud (see data sharing below);

we process data you provide when you enter your team into an CFA event or competition so that we can administer that competition, communicate with you and ensure eligibility. If this involves sensitive personal data, such as information about disability used to ensure eligibility for a disabled competition, we do this to ensure the integrity of our competition;

we use information you provide as well as information which we have collected about you to investigate any complaints received from you or from others, about our website and venues or our products or services;

we will use data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation); and

we use data of some individuals to invite them to take part in market research.

Where you give us consent:

we will send you direct marketing in relation to our relevant products and services, or other products and services provided by us and carefully selected partners and sponsors;

we place cookies and use similar technologies in accordance with our Cookies Policy (see below) and the information provided to you when those technologies are used; and

on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.

For purposes which are required by law:

where we are required to hold or collect personal data to meet legal requirements on us, such as keeping health and safety records, details of purchases or ensuring banned fans are not given access to our venues;

where we need parental consent to provide online services to children under 13. However, most of our websites are not designed for children under 13; and

where in response to requests by government or law enforcement authorities investigating.

Withdrawing consent or otherwise objecting to direct marketing

Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below.

What cookies and/or tracking technologies does CFA use?

When you visit one of our websites, we may also collect, process and use information about you and your use of the website, including any forums you visit and how you arrived at our site. Such information may be collected through "traffic data" and may entail the use of "cookies" or other tracking technologies, IP addresses or other numeric codes used to identify your computer.

Who will we share this data with, where and when?

We will share your personal data between CFA as necessary to provide the products and services you have requested, to maintain a single customer view across CFA’s and to fulfill any of the other purposes set out above.

We will share your data with relevant third parties for the purposes set out above, in particular we will share details of fans or participants with other football, other footballing governing bodies and the police where this is necessary to enforce stadium or travel bans. We will also share data with third parties holding events at our venues as necessary to ensure that your attendance is appropriately managed and we will share appropriate data with third party ticketing providers as necessary to manage our ticketing processes.

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.

Personal data will also be shared with third party service providers, who will process it on behalf of CFA for the purposes identified above. Such third parties include providers of website hosting, security services, maintenance, call center operations and identity checking. Some of our suppliers may be separate data controllers, such as market research organizations, and may provide you with their own privacy notice where appropriate.

Where information is transferred outside the EEA, and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor's Processor Binding Corporate Rules. A copy of the relevant mechanism can be provided for your review on request by contacting us using the details set out below. Where data is transferred outside the EEA due to your purchase of tickets to a game taking place outside the EEA, this data is transferred as necessary to facilitate your travel and fulfill your contract.

What rights do I have?

You have the right to ask us for a copy of your personal data; to correct, delete or restrict (stop any active) processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format.

In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing).

These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where it would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in both the GDPR and in the Data Protection Act 2018. We will inform you of relevant exemptions we rely upon when responding to any request you make.

To exercise any of these rights, you can get in touch with us – or our data protection officer – using the details set out below. If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred.

Data that is mandatory is indicated on relevant forms that you complete. Where provision of data is mandatory, if relevant data is not provided, then we will not be able to fulfil your requests to register, make a purchase or otherwise engage with the CFA. All other provision of your information is optional.

How do I get in touch with you, or your data protection officer?

We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, or would like to opt out of direct marketing, you can get in touch at info@cfa.com.cy.

How long will you retain my data?

Where we process data in connection with your registration to use CFA sites, we do this for as long as you are an active user of our sites and for 5 seasons after this.

Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future.

Where we process personal data in connection with performing a contract or for a competition, we keep the data for 7 years from your last interaction with us or from when the contract ends.

Where we process personal data to meet legal requirements, we hold this for as long as the law requires.

We hold information relating to visitors to our venues for a month.

Where your data is held on CFA systems, then at the end of the retention periods set out above, we will not irrevocably delete your information for another 3 months – your data will be held in an inactive form for this time to ensure that any consequential links across our systems remain intact in the event that your data is removed in a particular location.